<html>
<head><meta charset="utf-8"><title>RustSec communications · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html">RustSec communications</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="223762306"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/223762306" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#223762306">(Jan 23 2021 at 18:11)</a>:</h4>
<p>We have a bunch of outstanding PRs for advisories that do not have a fixed version. I want to figure out a way to communicate the presence of the advisory to the upstream maintainers. This should not cause additional frustration, not be too long to read, and ideally should also prompt them to fix the issue.  This is the best I've got so far:</p>
<blockquote>
<p>Heads up: this issue has been submitted to the <a href="https://github.com/RustSec/advisory-db">RustSec advisory database</a>. It will be surfaced by tools such as <a href="https://github.com/RustSec/cargo-audit">cargo-audit</a> or <a href="https://github.com/EmbarkStudios/cargo-deny">cargo-deny</a> from now on.</p>
</blockquote>
<p>Thoughts?</p>



<a name="223762309"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/223762309" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#223762309">(Jan 23 2021 at 18:11)</a>:</h4>
<p>This can be expanded to cover other situations, I've drafted this in <a href="https://hackmd.io/_4CmY8AAQ1Ks8D7KIDTXmg">https://hackmd.io/_4CmY8AAQ1Ks8D7KIDTXmg</a></p>



<a name="223762578"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/223762578" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#223762578">(Jan 23 2021 at 18:18)</a>:</h4>
<p>Perhaps we should make this a (policy) requirement that when submitting rustsec advisories for unfixed things, you need to notify the upstream maintainers of your PR?</p>



<a name="223762741"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/223762741" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#223762741">(Jan 23 2021 at 18:23)</a>:</h4>
<p>That seems reasonable.<br>
However, I want to avoid putting this on the submitter, since they already have a long template to fill, and requiring even more of them will increase the entry barrier, resulting in fewer advisories filed.<br>
But it is easy enough for advisory DB maintainer to copy-paste from the template to the upstream issue to notify them. Hence why I'm writing the templates.</p>



<a name="223767330"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/223767330" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#223767330">(Jan 23 2021 at 19:13)</a>:</h4>
<p>The more interesting question is, should we provide some kind of grace period for maintainers before we go ahead and file an advisory?</p>



<a name="223787750"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/223787750" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BlackHoleFox <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#223787750">(Jan 24 2021 at 00:59)</a>:</h4>
<p>Does the crates download count/popularity play into the proposed grace period, IE since there's a higher chance someone could be at risk, or is a flat policy closer to what's desired?</p>



<a name="223839335"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/223839335" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#223839335">(Jan 24 2021 at 22:24)</a>:</h4>
<p>I guess we can be more lax towards crates with few users, not to discourage maintainers of budding crates? But I don't have a strong opinion on that.</p>



<a name="223915757"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/223915757" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#223915757">(Jan 25 2021 at 15:50)</a>:</h4>
<p>waiting to get a patched version, particularly of widely used crates, is pretty important IMO. otherwise the advisories aren't actionable</p>



<a name="223953629"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/223953629" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Yechan Bae <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#223953629">(Jan 25 2021 at 20:13)</a>:</h4>
<p>When we request RustSec advisories,  we are prioritizing bugs which (1) are fixed or (2) we didn't get any response about from the author. We postpone reporting the bugs to RustSec (3) if the author acknowledged the bug but the fix is not implemented yet.</p>
<p>I think having a notification from RustSec helps in all three situations. For fixed bugs, we can encourage the author to comment on the the advisory content, who is likely to have more domain knowledge about the crate. For bugs without fixes or that are being delayed, notification about the grace period from RustSec would be much better way to give a heads up than a bug reporter to say "hey, if this is not fixed in X days, I will report it to RustSec."</p>



<a name="223957064"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/223957064" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#223957064">(Jan 25 2021 at 20:42)</a>:</h4>
<p>That makes a lot of sense. Thanks!</p>



<a name="224216294"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/224216294" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#224216294">(Jan 27 2021 at 17:28)</a>:</h4>
<p>We have ~30 PRs outstanding for advisories without a patched version and with unresponsive upstream maintainers. I want to start merging them, but I could use some help in polishing up the comms for the maintainers. This is a draft of what I'm going to post on the upstream issue:</p>
<blockquote>
<p>Heads up: this issue has been included in the <a href="https://github.com/RustSec/advisory-db">RustSec advisory database</a>. It will be surfaced by tools such as <a href="https://github.com/RustSec/cargo-audit">cargo-audit</a> or <a href="https://github.com/EmbarkStudios/cargo-deny">cargo-deny</a> from now on.<br>
Once a fix is released to <a href="http://crates.io">crates.io</a>, please let us know and we'll include the fixed version in the advisory.</p>
</blockquote>
<p>Thoughts?</p>



<a name="224216401"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/224216401" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#224216401">(Jan 27 2021 at 17:29)</a>:</h4>
<p>I'd specifically mention that they can let us know by sending a PR to update the advisory with the patched version.</p>



<a name="224217021"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/224217021" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#224217021">(Jan 27 2021 at 17:33)</a>:</h4>
<p>Given that the upstream is already unresponsive, I'm not sure I want to create more work for them. Any tips on how to word that without making it feel like fixing the issue would now take even more work than before?</p>



<a name="224217267"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/224217267" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Ammar Askar <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#224217267">(Jan 27 2021 at 17:34)</a>:</h4>
<p>Maybe something like, "please ping us with a comment on the linked RustSec issue above or send us a pull request to update the advisory with the patched version"</p>



<a name="224217316"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/224217316" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Ammar Askar <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#224217316">(Jan 27 2021 at 17:35)</a>:</h4>
<p>Since just making a comment is pretty low-friction and they can still send a full pull request if they want.</p>



<a name="224218129"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/224218129" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#224218129">(Jan 27 2021 at 17:40)</a>:</h4>
<blockquote>
<p>Heads up: this issue has been included in the <a href="https://github.com/RustSec/advisory-db">RustSec advisory database</a>. It will be surfaced by tools such as <a href="https://github.com/RustSec/cargo-audit">cargo-audit</a> or <a href="https://github.com/EmbarkStudios/cargo-deny">cargo-deny</a> from now on.<br>
Once a fix is released to <a href="http://crates.io">crates.io</a>, please comment on the advisory thread linked above, or open a pull request to update the advisory with the patched version.</p>
</blockquote>
<p>Is this better?</p>



<a name="224227207"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/224227207" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#224227207">(Jan 27 2021 at 18:37)</a>:</h4>
<p><span class="user-mention" data-user-id="130046">@Alex Gaynor</span> <span class="user-mention" data-user-id="329529">@Yechan Bae</span> I'd like to get your opinion on the text above before I go posting it to 30 github issues</p>



<a name="224227330"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/224227330" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#224227330">(Jan 27 2021 at 18:37)</a>:</h4>
<p>I don't love the suggestion to leave a comment, I think it's going to end with comments on closed PRs that no one notices, which will be sad for everyone.</p>
<p>I assume the message will include a link to the PR with the advisory.</p>



<a name="224227545"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/224227545" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Ammar Askar <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#224227545">(Jan 27 2021 at 18:39)</a>:</h4>
<p>The comment gets mailed out to whoever filed the advisory plus whichever rustsec member triaged it, do you think it'll still be missed?</p>



<a name="224227818"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/224227818" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#224227818">(Jan 27 2021 at 18:41)</a>:</h4>
<p>With 30 of them, even if there's a 95% chance any individual one is notice and acted on, that's an 80% chance we'll miss at least one. I'm a big believer in making sure things are visible -- comments on closed issues are easily missed, a fresh issue or PR will not be.</p>



<a name="224228137"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/224228137" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#224228137">(Jan 27 2021 at 18:43)</a>:</h4>
<blockquote>
<p>Heads up: this issue has been included in the <a href="https://github.com/RustSec/advisory-db">RustSec advisory database</a>. It will be surfaced by tools such as <a href="https://github.com/RustSec/cargo-audit">cargo-audit</a> or <a href="https://github.com/EmbarkStudios/cargo-deny">cargo-deny</a> from now on.<br>
Once a fix is released to <a href="http://crates.io">crates.io</a>, please open a pull request to update the advisory with the patched version, or file an issue on <a href="https://github.com/RustSec/advisory-db">the advisory database repository</a>.</p>
</blockquote>
<p>Is that better?</p>



<a name="224228246"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/224228246" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#224228246">(Jan 27 2021 at 18:44)</a>:</h4>
<p>I was hoping to lean into the automatic linking that Github already does instead of manually copy-pasting the ID into every comment, because with 30 of them I'll surely get at least one wrong.</p>



<a name="224228334"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/224228334" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#224228334">(Jan 27 2021 at 18:45)</a>:</h4>
<p>Text looks good to me. Thanks!</p>



<a name="224264242"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/224264242" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Yechan Bae <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#224264242">(Jan 27 2021 at 23:30)</a>:</h4>
<p>In long term, I think it would be good to have the official grace period in RustSec policy and mention that. Considering that we don't have a such concept yet, the text looks good to me.</p>



<a name="224264263"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/224264263" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Yechan Bae <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#224264263">(Jan 27 2021 at 23:30)</a>:</h4>
<p>Thanks for the effort!</p>



<a name="224365975"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/224365975" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#224365975">(Jan 28 2021 at 17:53)</a>:</h4>
<p>feels a bit like a disclosure policy, except for things that are already public, just not automatically spammed</p>



<a name="224546411"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/224546411" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#224546411">(Jan 29 2021 at 22:47)</a>:</h4>
<p>Thanks for the input <span class="user-mention" data-user-id="329529">@Yechan Bae</span>! I'll try to handle the outstanding advisory PRs with this messaging on Saturday. Here's to hoping it goes better than last time <span aria-label="see no evil" class="emoji emoji-1f648" role="img" title="see no evil">:see_no_evil:</span></p>



<a name="224546492"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/224546492" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#224546492">(Jan 29 2021 at 22:48)</a>:</h4>
<p>(Last time: <a href="https://www.reddit.com/r/rustjerk/comments/l1habt/">https://www.reddit.com/r/rustjerk/comments/l1habt/</a>)</p>



<a name="224603523"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20communications/near/224603523" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20communications.html#224603523">(Jan 30 2021 at 20:29)</a>:</h4>
<p>I've merged at around 15 outstanding advisory PRs; I'll start a thread about the remaining ones.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>